Friday, December 26, 2014

DMVPN - phase one - OSPF

Today I would like to start with very known and widely spread
technology - Dynamic Multipoint Virtual Private Network (DMVPN). It was
invented more than 10 years ago. DMVPN is very popular because it allows
us to create point-to-point or full mesh secure connections between
many hosts. The main problem with point-to-point VPN is its lack of
scalability in terms of configuration management with more than few
point-to-point tunnels.
DMVPN is not one protocol, it is collections of protocols, frameworks:
IPsec, multipoint GRE (mGRE), Next Hop Resolution Protocol (NHRP).
Let’s look on the below scenario where you can see one hub (for example
HQ) and two spokes (branches). You can try to compare it with GET VPN
but between them are more differences than similarities. General
speaking DMVPN consist of one hub router (it has to have static IP) and
many spokes (static IP is not required). From configuration perspective
spokes know IP of the hub router but IPs of spokes is not required and
it can by dynamic.

In this post I describe OSPF protocol but you need to remember it is not widely used due to area issue (can be only one) and its scalability. More preferable protocols are EIGRP and BGP.

I put ASA in the middle to better understand what protocols, packets are exchanged between them.
Let’s start to configure basic IP connection and allow ping between all physical interfaces.

Ok, now we have connectivity and it’s time to configure tunnel
interfaces. I prefer to enable tunnels first without any protection
(IPsec profile) to make my life simpler in case something doesn’t work.
You don’t need to remember all the commands because it is available here (even during your ccie lab):

We can’t see GRE anymore only ESP. What does it mean? It means the
tunnel protection works fine and now all GRE packets are encrypted by
ESP. For security reason I’m going to remove all permit GRE access list
on ASA. It protects us against unencrypted communication in case of
IPsec failure. I remember one discussion on one Cisco forum about GRE
and IPsec. There was a topic if one connection is ‘IPsec over GRE’ or
'GRE over IPsec’. In this case we see we have 'GRE over IPsec’ because
we can’t see GRE anymore, only ESP.

The last thing to check is connection between spokes. As per title
'DMVPN phase one’ I need to explain what does it mean. There are three
phases of DMVPN. They were developed to improve existing phase one. The
difference between them is possibility of direct connection between
spokes in DMVPN phase 2 and 3 (I will speak about it in my next posts).
For phase one, all traffic between spokes needs to be sent via the hub.
What, of course, has impact on its performance, etc.